Tag Info

Nope, the picture on the left of the password field has nothing to do with the security of the login process. This is, sadly, a "usability" feature. It's called a Visual Hash (here's an example). Actually, the avatar you're currently using is an example of visual hashes.
Because Lotus Notes displays a random number of X in the password field, the ...

There is some information on this defunct page. Apparently, the idea that the "moving picture" is there to distract shoulder surfers is widespread, and wrong. That's not how this picture works; what it does is actually worse, although it proceeds from good intentions.
When you type the password letters, Lotus employs a "fairly complicated" but deterministic ...

Closed source is more secure than open-source as attackers can view the source code and find and exploit vulnerabilities. While I'm not claiming this is always false, with open source software its at least possible for outside experts to review the software looking for gaping vulnerabilities/backdoors and then publicly patching them. With closed source ...

Overall, the protocol does not appear to increase security over existing technology. If you are looking for the best way to protect your identity online, this is without question not it. But let's go over the pros and cons:
Advantages
It's impossible to "share" a password in the narrow sense that a malicious website can't use the authentication provided to ...

You don't need DNS names to be detectable.
The entire IPv4 can be scanned in less than a day. And it has been done. And it is still going on.
Therefore you must assume, that your IP address has been discovered.
You can download all the certificates for all the IPv4's port 443 from Rapid7's Sonar project.
-> Make this a nice demo. Download the ...

Some examples:
Bigger keys. 4096-bit RSA, 256-bit AES... more bits are always better. (See the comments: there is no point to have keys bigger than the size which ensures the "cannot break it at all" status; but bigger keys imply network and CPU overhead, sometimes in large amounts.)
Automatic enforcement of "safe functions" like snprintf() instead of ...

This might make very casual surfers move on, but anyone running any sort of scan on your server will discover the OS, web server version and running software.
For example the nmap http-enum NSE script should detect that Outlook Web Access is running should anyone care to run it against your server.
Yes, by all means replace the home page with something ...

Great question! As it happens, I can present experimental data on this question -- and the data is fascinating. (I noticed that some of the answers contain speculation from first principles about how much security these security images offer. However, the data turns out to have some surprises for all of us!)
Experimental methodology.
"Security images" ...

I think it's fair to say that the idea that any large organisation is entirely impervious to attack has been proven false over the last five years or so. Everyone from nation states through large corporations, security consultancies and other security minded companies have had breaches.
One reason that a bank hasn't been thrown into "complete chaos" as you ...

Since raw emails are not encrypted, what you can read in an email could have (conceptually) been read by anybody. However, to read the email, the attacker would still have to connect to the HTTPS server, which leaves tracks (the IP from which the attacker connects will be known to that server -- of course, that IP will probably be that of a Tor exit node). ...

I'll add my own appsec examples that I have seen while consulting:
"I'll email you an encrypted zip and include the password in the same
email..." This has happened to me more than once. A locked door won't stay locked if you leave the key in the door.
"But you couldn't have
gotten SQL Injection and SMTP injection, we called
sanitize() on everything!". ...

I think there's something to be said for setting a bar, regardless of how low it is. Can Tripwire be bypassed? Sure. Will it catch things that you wouldn't otherwise? Yes it will.
The main problem I've seen in a Tripwire installation is tuning it to where it isn't false-positive laden to the point of ignoring it. If it blows up every time someone ...

Any feature that "doesn't provide any additional [...] benefit" should be removed, security-related or otherwise. Besides increasing complexity and friction, it can introduce additional attack surface and end up making you less secure.

As usual, take anything related to Steve Gibson with a truckload of salt. Obligatory attrition.org link.
Let's have a look at Gibson's description of his protocol.
The QR code presented near the login prompt contains the URL of the authentication service for the site. The URL includes a securely generated long random number so that every ...

Passwords must be salted and hashed before storing in the database. SHA-1 is a good fit, SHA-512 is perfect.
I still hear that one from many security professionals, security training, and current security guides.

I don't rate their security particularly high; but they are more than just security theater. They potentially can make the job of the attacker more difficult and the job of a security forensic experts tracking down anomolies easier.
Let's say there is no security image/phrase or equivalent. Then an man-in-the-middle attacker can construct a fake version ...

One area where ZIP files could present a risk to the application the zip bomb attack. this occurs where an archive is constructed in such a way that when it's opened it consumes a large quantity of space on the server potentially causing it to crash.
It might be possible to mitigate this issue by opening zip files on a dedicated filesystem and then ...

Legally speaking, a corporation is one of the best "liability shields" you can have. It is its own entity that is, for most purposes, the entity that the rest of the world is interacting with when they interact with anyone empowered to represent it and make decisions on its behalf. It, and not its agents, bears the full brunt of any legal liability for ...

I'd like to add this to what The Bear has already said
This method adds almost no security at all. Why?
Exposing the email with the link = Exposing the real message
This is almost the same as sending the text in the same email used to send the link. Then why are they doing this? You might ask. Here are some possible reasons:
Delivery and reading ...

SQRL is a convenient solution to the problem of the username/password paradox. (i.e. the convenience/security tradeoff) without using a third-party. It provides a simple alternative to the most popular authentication model (Username & Password), with virtually no compromise to security. It is practically just as secure of any of the common ...

Jack sits back, Reflects his thoughts for the moment, Scratches his head wondering if you mean the magic bytes that would be used by file(1), the signature of the internal fs, the UUID of the device... and how to phrase it to be understood by Diane.
Jack - "What do you mean. What's that?"
Diane thinks Jack has absolutely no idea and proceeds with ...

Pronounceable words are more-or-less sequences of syllables. What constitutes a syllable depends on the language, including the language variant (British, Scottish, American, Indian... versions of English are not rigorously identical). So we will make some approximations.
Let's suppose that we want two-letter syllables, always a consonant followed by a ...

The biggest risk in any language is to have developers who do not master the said language. Secure development requires thinking of all "corner cases" and it does not work unless the developer knows what he does at all points. A competent C programmer who does not know Java will do more secure code in C than in Java (and vice versa).
A case can be made that ...

One this that hasn't yet been mentioned is that this approach can improve security from a different angle: rather than addressing privacy concerns (which it clearly doesn't), it definitely helps in establishing verifiability.
Anyone can send an email and forge the headers to make it appear to have come from your vendor, but (presuming their systems are ...

To turn a quick profit, It is easier to go after end users. This is why there are so many phishing attacks and password stealing Trojans.
Banks internet-facing operations tend to be well secured. The internal office environments less so, although they tend to have good AV. This stops casual metasploit users, although an advanced attacker with zero day ...

There are no security threat. At least not any that are specific to zip files.
The major concerns have already been outlined by other users. However, all of these are either not harmful to the application itself or not specific to zip files.
Zip Bomb attacks, as described by Rory McCune. These are only a concern if the files will be unpacked.
Inclusion ...

The problem with a zip is that you aren't really sure what's inside of them. You would need to unzip the contents, scan for virusses and then you know that there aren't any known virusses in them.
Second of all, when fileuploads are in use, you can only allow a certain amount of file extensions (white list rather than blacklist) and you need to verify that ...

Self protection:
What you list in your answer sounds pretty good. About my only thought would be to change your long ranty fake security question answers to truly fake answers. Either sentences or more pseudo-random characters. But assuming you get somewhere with trying to change the system, I don't think you want those in there when some guy who is ...

Tripwires are very useful for defending against userland rootkits. Kernelland rookits do not need to replace binaries to subvert the behavior of the system, usually these rootkits are just a Linux Kernel Module (LKM). In fact when you control the kernel like this any executable's behavior can be influenced without needing to modify the binary its self. ...